zorath-env v0.3.2: Secret Detection and Environment Diff

zorath-env v0.3.2 is now available. This release adds secret detection to catch accidentally committed credentials and a new diff command to compare environment files across deployments.

Release Highlights

• Secret detection scans for AWS keys, Stripe tokens, GitHub tokens, private keys, and more
• zenv diff command compares two .env files to find differences
• High-entropy detection catches potential API keys and secrets
• URL password detection finds embedded credentials in connection strings

Secret Detection

Accidentally committing secrets to version control is one of the most common security mistakes. API keys, database passwords, and access tokens end up in .env.example files, commit history, and public repositories.

zorath-env v0.3.2 adds the --detect-secrets flag to scan for potential credentials:

zenv check --detect-secrets

What It Detects

The secret scanner identifies 10 categories of sensitive data:

| Pattern | Examples | Description | |---------|----------|-------------| | AWS Access Keys | AKIA... | Access key IDs starting with AKIA | | AWS Secret Keys | 40-character strings | Secret access keys | | Stripe API Keys | sk_live_, sk_test_, pk_live_, pk_test_ | Stripe publishable and secret keys | | GitHub Tokens | ghp_, gho_, ghs_, ghr_ | Personal access tokens, OAuth tokens | | GitLab Tokens | glpat- | Personal access tokens | | Slack Tokens | xoxb-, xoxp-, xoxa- | Bot and user tokens | | Private Keys | -----BEGIN RSA PRIVATE KEY----- | RSA, SSH, PGP private key headers | | JWT Tokens | eyJ... | JSON Web Tokens | | URL Passwords | ://user:pass@host | Embedded credentials in URLs | | High-Entropy Strings | 32+ character random strings | Potential API keys or secrets |

Example Output

Given a .env file with potential secrets:

AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
DATABASE_URL=postgresql://admin:supersecret123@db.example.com/mydb
STRIPE_KEY=sk_live_51ABC123DEF456GHI789
API_TOKEN=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0

Running zenv check --detect-secrets:

$ zenv check --detect-secrets

Warning: Potential secrets detected:

- AWS_ACCESS_KEY_ID (line 1): AWS Access Key ID
- AWS_SECRET_ACCESS_KEY (line 2): AWS Secret Access Key
- DATABASE_URL (line 3): URL contains embedded password
- STRIPE_KEY (line 4): Stripe API Key
- API_TOKEN (line 5): High-entropy string (possible secret)

These values may be real secrets. Consider using placeholders in committed files.

When to Use Secret Detection

Run secret detection in these scenarios:

Before committing .env.example:

zenv check --env .env.example --detect-secrets

In CI/CD pipelines:

- name: Check for leaked secrets
  run: |
    cargo install zorath-env
    zenv check --env .env.example --detect-secrets

Pre-commit hook:

#!/usr/bin/env bash
set -e

if [ -f ".env.example" ]; then
  zenv check --env .env.example --detect-secrets || {
    echo "Secret detection found potential credentials!"
    exit 1
  }
fi

Privacy First

Secret detection runs entirely locally. No data leaves your machine. zorath-env never uploads, phones home, or sends telemetry. Your secrets stay private.

Environment Diff

Different environments often have different configurations. Development uses localhost, staging uses test credentials, production uses real services. When these drift apart, deployments fail.

The new zenv diff command compares two .env files:

zenv diff .env.development .env.production

What It Shows

The diff output shows three categories:

1. Variables only in the first file - missing from the second
2. Variables only in the second file - missing from the first
3. Variables with different values - present in both but changed

Example Output

Given two environment files:

.env.development:

DATABASE_URL=postgresql://localhost/mydb
NODE_ENV=development
DEBUG_MODE=true
API_URL=http://localhost:3000

.env.production:

DATABASE_URL=postgresql://prod-db.example.com/mydb
NODE_ENV=production
API_URL=https://api.example.com
SENTRY_DSN=https://key@sentry.io/123

Running zenv diff:

$ zenv diff .env.development .env.production

Only in .env.development:
- DEBUG_MODE

Only in .env.production:
- SENTRY_DSN

Different values:
- DATABASE_URL: "postgresql://localhost/mydb" vs "postgresql://prod-db.example.com/mydb"
- NODE_ENV: "development" vs "production"
- API_URL: "http://localhost:3000" vs "https://api.example.com"

Schema Validation with Diff

Add the --schema flag to also validate both files against your schema:

zenv diff .env.staging .env.production --schema env.schema.json

This catches both configuration drift AND type/validation errors in a single command.

Use Cases

Catch missing production variables:

zenv diff .env.example .env.production

Find variables defined in your example but missing from production.

Compare across environments:

zenv diff .env.staging .env.production

Verify staging matches production before deployment.

Audit configuration changes:

zenv diff .env.backup .env

See what changed since the last backup.

Combining Features

Use secret detection and diff together for comprehensive checks:

# Check for secrets in example file
zenv check --env .env.example --detect-secrets

# Compare environments with schema validation
zenv diff .env.staging .env.production --schema env.schema.json

In CI/CD:

name: Environment Validation

on: [push, pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install zenv
        run: cargo install zorath-env

      - name: Check for secrets
        run: zenv check --env .env.example --detect-secrets

      - name: Validate schema
        run: zenv check --env .env.example --schema env.schema.json

Full Changelog

v0.3.2 (2026-01-16)

Added:

• Secret detection with --detect-secrets flag for zenv check
• Detection patterns for AWS, Stripe, GitHub, GitLab, Slack tokens
• Private key header detection (RSA, SSH, PGP)
• JWT token detection
• URL embedded password detection
• High-entropy string detection for potential API keys
• zenv diff command to compare two .env files
• Schema validation support in diff command

Changed:

• Improved validation output formatting
• Better error messages for file operations

Installation

First-Time Install

Via cargo:

cargo install zorath-env

Download binary (no Rust required):

Visit GitHub Releases and download for your platform:

• Linux: zenv-linux
• macOS Intel: zenv-macos-intel
• macOS Apple Silicon: zenv-macos-arm
• Windows: zenv.exe

Upgrade

# Via cargo
cargo install zorath-env --force

# Check version
zenv version --check-update

Verify the installation:

$ zenv version
zenv v0.3.2

Resources

• Documentation: zorl.cloud/zenv
• Full Docs: zorl.cloud/zenv/docs
• GitHub: github.com/zorl-engine/zorath-env
• Wiki: GitHub Wiki
• Package: crates.io/crates/zorath-env
• Community: r/zorath_env

---

Ready to secure your environment files? Run cargo install zorath-env --force or download the latest binary from GitHub Releases.